Windows Authentication from a different domain

Question

I have a Website running in our domain which has Windows Authentication enabled. I want this website open to public via Azure and still authenticate users based on their Windows credentials.

I am considering 2 options.

1. Host the Website on Azure and follow AD FS techniques to achieve Windows Authentication

2. Do not host the Website on Azure, but map (or domain alias)  to a server (which has the Website) in our domain which is open to public. 

I need your advice on this guys. Which is better? Can I achieve Windows Authentication if I go with option 2. How would option 1 be implemented?

Thanks much in advance

Answer 1

Hello.

Chech these links:

http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx

http://blogs.msdn.com/b/card/archive/2011/01/05/single-sign-on-to-windows-azure-using-wif-and-adfs-whitepaper-released.aspx

http://blogs.msdn.com/b/willpe/archive/2010/10/25/windows-authentication-adfs-and-the-access-control-service.aspx

Answer 2

That helps Alexander. Thanks.

And what about option 2 - Not hosting the website on Azure but map to a server hosting the website on domain. Will this still qualify for enabling Windows Authentication?

Answer 3

Hi prudhvi,

I would go for a third option. Have the application run in Azure and use the Windows Azure AppFabric Access Control Service (ACS) to externalize the authentication part. That way, your application doesn't need to know where the authenticated users come from (Windows Live, GMail, ADFS, ...).

There are plenty of resources and examples on how you can integrated ACS with ADFS (and other identity providers) with your Azure application:

• http://acs.codeplex.com/wikipage?title=ACS%20Content%20Map 
• http://claimsid.codeplex.com/releases/view/67606  

If you go for option 2, you'll just go back to the 'prehistoric' setup where you have the server in your domain. Because this means you'll need to provide for the licenses, the hardware, the high availability, maintenance, ...

Sandrino

---

Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog

Answer 4

Yes, it will be ok. But i agree with Sandrino about option 3, i think you should think about it.

Answer 5

Thanks Sandrino, that helps.

I will go ahead with the third option and will post again how the implementation went. Hopefully with a detailed step-by-step guide that can help the community.

Thanks much people.

Answer 6

Sandrino,

I agree with your comments on option 2. If all the catches - licenses, hardware and maintenance are achieved and taken care of, will it qualify for enabling Windows Authentication?

Thanks

Answer 7

Yes, if the server has a connection with your domain (ie: if the server is in the domain, if the server can access the domain controller through vpn, ...)

---

Sandrino Di Mattia | Twitter: http://twitter.com/sandrinodm | Azure Blog: http://fabriccontroller.net/blog | Blog: http://sandrinodimattia.net/blog